Revert MAINTAIN privilege and pg_maintain predefined role.

This reverts the following commits: 4dbdb82513, c2122aae63, 5b1a879943, 9e1e9d6560, ff9618e82a, 60684dd834, 4441fc704d, and b5d6382496. A role with the MAINTAIN privilege may be able to use search_path tricks to escalate privileges to the table owner. Unfortunately, it is too late in the v16 development cycle to apply the proposed fix, i.e., restricting search_path when running maintenance commands. Bumps catversion. Reviewed-by: Jeff Davis Discussion: https://postgr.es/m/E1q7j7Y-000z1H-Hr%40gemulon.postgresql.org Backpatch-through: 16
2025-12-21 05:21:08 +03:00 · 2023-07-07 11:25:13 -07:00
parent ec99d6e9c8
commit 151c22deee
41 changed files with 179 additions and 445 deletions
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -28,7 +28,7 @@ ALTER DEFAULT PRIVILEGES

 <phrase>where <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable> is one of:</phrase>

-GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
+GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
    [, ...] | ALL [ PRIVILEGES ] }
    ON TABLES
    TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
@@ -51,7 +51,7 @@ GRANT { USAGE | CREATE | ALL [ PRIVILEGES ] }
    TO { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

 REVOKE [ GRANT OPTION FOR ]
-    { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
+    { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
    [, ...] | ALL [ PRIVILEGES ] }
    ON TABLES
    FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
--- a/doc/src/sgml/ref/analyze.sgml
+++ b/doc/src/sgml/ref/analyze.sgml
@@ -182,9 +182,11 @@ ANALYZE [ VERBOSE ] [ <replaceable class="parameter">table_and_columns</replacea
  <title>Notes</title>

  <para>
-   To analyze a table, one must ordinarily have the <literal>MAINTAIN</literal>
-   privilege on the table.  However, database owners are allowed to
+   To analyze a table, one must ordinarily be the table's owner or a
+   superuser.  However, database owners are allowed to
   analyze all tables in their databases, except shared catalogs.
+   (The restriction for shared catalogs means that a true database-wide
+   <command>ANALYZE</command> can only be performed by a superuser.)
   <command>ANALYZE</command> will skip over any tables that the calling user
   does not have permission to analyze.
  </para>
--- a/doc/src/sgml/ref/cluster.sgml
+++ b/doc/src/sgml/ref/cluster.sgml
@@ -70,8 +70,9 @@ CLUSTER [VERBOSE]
   <command>CLUSTER</command> without a
   <replaceable class="parameter">table_name</replaceable> reclusters all the
   previously-clustered tables in the current database that the calling user
-   has privileges for.  This form of <command>CLUSTER</command> cannot be
-   executed inside a transaction block.
+   owns, or all such tables if called by a superuser.  This
+   form of <command>CLUSTER</command> cannot be executed inside a transaction
+   block.
  </para>

  <para>
@@ -132,11 +133,6 @@ CLUSTER [VERBOSE]
 <refsect1>
  <title>Notes</title>

-   <para>
-    To cluster a table, one must have the <literal>MAINTAIN</literal> privilege
-    on the table.
-   </para>
-
   <para>
    In cases where you are accessing single rows randomly
    within a table, the actual order of the data in the
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -21,7 +21,7 @@ PostgreSQL documentation

 <refsynopsisdiv>
 <synopsis>
-GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
+GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
         | ALL TABLES IN SCHEMA <replaceable class="parameter">schema_name</replaceable> [, ...] }
@@ -193,7 +193,6 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
     <term><literal>USAGE</literal></term>
     <term><literal>SET</literal></term>
     <term><literal>ALTER SYSTEM</literal></term>
-     <term><literal>MAINTAIN</literal></term>
     <listitem>
      <para>
       Specific types of privileges, as defined in <xref linkend="ddl-priv"/>.
--- a/doc/src/sgml/ref/lock.sgml
+++ b/doc/src/sgml/ref/lock.sgml
@@ -166,8 +166,8 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="parameter">name</replaceable> [ * ]

   <para>
    To lock a table, the user must have the right privilege for the specified
-    <replaceable class="parameter">lockmode</replaceable>.
-    If the user has <literal>MAINTAIN</literal>,
+    <replaceable class="parameter">lockmode</replaceable>, or be the table's
+    owner or a superuser.  If the user has
    <literal>UPDATE</literal>, <literal>DELETE</literal>, or
    <literal>TRUNCATE</literal> privileges on the table, any <replaceable
    class="parameter">lockmode</replaceable> is permitted. If the user has
--- a/doc/src/sgml/ref/refresh_materialized_view.sgml
+++ b/doc/src/sgml/ref/refresh_materialized_view.sgml
@@ -31,9 +31,8 @@ REFRESH MATERIALIZED VIEW [ CONCURRENTLY ] <replaceable class="parameter">name</

  <para>
   <command>REFRESH MATERIALIZED VIEW</command> completely replaces the
-   contents of a materialized view.  To execute this command you must have the
-   <literal>MAINTAIN</literal>
-   privilege on the materialized view.  The old contents are discarded.  If
+   contents of a materialized view.  To execute this command you must be the
+   owner of the materialized view.  The old contents are discarded.  If
   <literal>WITH DATA</literal> is specified (or defaults) the backing query
   is executed to provide the new data, and the materialized view is left in a
   scannable state.  If <literal>WITH NO DATA</literal> is specified no new
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -292,21 +292,16 @@ REINDEX [ ( <replaceable class="parameter">option</replaceable> [, ...] ) ] { DA
  </para>

  <para>
-   Reindexing a single index or table requires
-   having the <literal>MAINTAIN</literal> privilege on the
-   table.  Note that while <command>REINDEX</command> on a partitioned index or
-   table requires having the <literal>MAINTAIN</literal> privilege on the
-   partitioned table, such commands skip the privilege checks when processing
-   the individual partitions.  Reindexing a schema or database requires being the
-   owner of that schema or database or having privileges of the
-   <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link>
-   role.  Note specifically that it's thus
+   Reindexing a single index or table requires being the owner of that
+   index or table.  Reindexing a schema or database requires being the
+   owner of that schema or database.  Note specifically that it's thus
   possible for non-superusers to rebuild indexes of tables owned by
-   other users.  However, as a special exception,
-   <command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>,
-   and <command>REINDEX SYSTEM</command> will skip indexes on shared catalogs
-   unless the user has the <literal>MAINTAIN</literal> privilege on the
-   catalog.
+   other users.  However, as a special exception, when
+   <command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>
+   or <command>REINDEX SYSTEM</command> is issued by a non-superuser,
+   indexes on shared catalogs will be skipped unless the user owns the
+   catalog (which typically won't be the case).  Of course, superusers
+   can always reindex anything.
  </para>

  <para>
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -22,7 +22,7 @@ PostgreSQL documentation
 <refsynopsisdiv>
 <synopsis>
 REVOKE [ GRANT OPTION FOR ]
-    { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MAINTAIN }
+    { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
    [, ...] | ALL [ PRIVILEGES ] }
    ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
         | ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }
--- a/doc/src/sgml/ref/vacuum.sgml
+++ b/doc/src/sgml/ref/vacuum.sgml
@@ -444,9 +444,11 @@ VACUUM [ FULL ] [ FREEZE ] [ VERBOSE ] [ ANALYZE ] [ <replaceable class="paramet
  <title>Notes</title>

   <para>
-    To vacuum a table, one must ordinarily have the <literal>MAINTAIN</literal>
-    privilege on the table.  However, database owners are allowed to
+    To vacuum a table, one must ordinarily be the table's owner or a
+    superuser.  However, database owners are allowed to
    vacuum all tables in their databases, except shared catalogs.
+    (The restriction for shared catalogs means that a true database-wide
+    <command>VACUUM</command> can only be performed by a superuser.)
    <command>VACUUM</command> will skip over any tables that the calling user
    does not have permission to vacuum.
   </para>